My Best Practices for Deploying a Web Application on Alibaba Cloud

    Liptan Biswas
    Liptan Biswas

    This article was originally published on Alibaba Cloud. Thank you for supporting the partners who make SitePoint possible.

    In this article, I want to share the best practices I use when deploying a web application to Alibaba Cloud. I work as a freelancer and recently one of my clients asked me to setup SuiteCRM for his small organization. Since I frequently write tutorials for Alibaba Cloud, I recommended that the client use the same cloud platform. For nearly 100 users and at least 30 concurrent users, here’s the configuration I recommended.

    1. ECS instance of 2 vCPUs and 4GB RAM to install Nginx with PHP-FPM.
    2. ApsaraDB for RDS instance for MySQL with 1GB core, 1 GB RAM, and 10 GB storage.
    3. Direct Mail for sending emails.

    The steps I followed are very simple and can be adopted for nearly all PHP based applications.

    If you are new to Alibaba Cloud, you can use this link to sign up to Alibaba Cloud. You will get new user credit worth US$300 for free, which you can use to try out different Alibaba Cloud products.

    Creating an ECS Instance

    Alibaba Cloud has documented nearly everything you will require to get started with the cloud platform. You can use the Getting Started Tutorials or the Tech Share Blog to learn how to start using Alibaba Cloud. You can find the most obvious steps in the Quick Start Guide and let me walk you through the best practices to use when creating the ECS instance.

    Log in to your Alibaba Cloud console and go to Elastic Compute Service interface. You can easily create the instance by clicking the Create Instance button. Things to keep in mind are:

    1. Region: Since Alibaba Cloud has data centers all around the globe, always choose the region which is geographically closer to the users of the application. As the data center is closer to the user, the website will load very fast due to the low latency of the network. In my case, I chose Mumbai region, as the organization was based in Mumbai itself.
    2. Billing Method: If you are planning to continuously run the instance 24/7, you should always choose the monthly subscription as it will cut down the price to less than half compared to Pay-As-You-Go. For example, the monthly subscription cost of a shared type ECS instance of 2 vCPUs and 4GB RAM is $23 USD but the same instance in Pay-As-You-Go costs $0.103 USD per Hour. Monthly cost becomes $0.103*24*30 = $74.16 USD.
    3. Instance Type: Choose the instance type according to your requirements. Resources can be increased later on demand.
    4. Image: You may find the application you wish to install on your ECS instance on a Marketplace image but it is always recommended to install it yourself in a clean official image. Later, if your application encounters some error, you will know where to look.
    5. Storage: System disks are deleted when the ECS instance is released. Use data disk when possible as your disk will be retained even after the instance is accidentally deleted.

    Here’s the configuration I used.

    You can choose the VPC which is created by default. You can add as many as 4092 instances in it. I use a different security group for each ECS instance so that I can configure individually and make sure that no unused port is opened.

    Another important thing is to use key-based authentication rather than using passwords. If you already have a key-pair, you can add the public key to Alibaba Cloud. If not, you can use Alibaba Cloud to create one. Make sure that key is stored in a very secure place, and the key itself is encrypted by a passphrase.

    That’s all the things to keep in mind while creating the ECS instance.

    Setting Up the ECS Instance

    Once you have created your instance and logged into the terminal, there are few things I suggest you should consider before you set up your website.

    1. Rather than using the root account for executing the commands, set up a sudo user on the first connection and always use the sudo user for running the commands. You can also set key based authentication for the sudo user, and disable root login entirely.
    2. Always keep your base image updated.
    3. Alibaba base images do not have any extra package which is not required. Do not install any package that’s not required.
    4. If things go bad during installation, you can always reset the instance by changing the system disk. You don’t need to delete the instance and recreate it.

    I created the sudo user and configured key based auth in it. I updated the base image and set up unattended system upgrades. I followed a tutorial to install Nginx web server, which is a lightweight production-grade web server. Further, I installed PHP 7.2 with PHP-FPM. PHP 7.2 is the latest available version of PHP as of now. Using the latest software will ensure that the system is free from all the bugs and we will also get a faster processing and more stability. Finally, I downloaded the SuiteCRM archive from its official website and deployed the files into Nginx.

    You can use the getting started tutorials or the tutorials written by Tech Share authors to install the applications.

    Configuring Security Group Rules

    It is very important to leave no unused port open in the security group of the ECS instance. Have a look at the security group rules I used for the SuiteCRM instance.

    You can see that I have allowed only the ports 22, 80 and 443 along with all ICMP packets. Port 22 is used for SSH connection. Port 80 is the unsecured HTTP port, which in my case just redirects to the port 443 on HTTPS. ICMP packets are used to ping the host to check if it is alive or not. It’s perfectly okay if you want to drop the ICMP packets as well — you just won’t be able to ping your instance.

    Creating the RDS Instance

    The first question to ask before we create the RDS instance is why exactly we need it. We could install any open source database server such as MySQL, MariaDB, PostgreSQL or MongoDB server on the ECS instance itself.

    The answer to the question is that ApsaraDB for RDS is optimized for speed and security. By default, the instance we create is only accessible to the whitelisted instances only.

    Let’s look at the things to keep in mind when we create the ECS instance.

    1. Region: Always choose the same region for the database instance and the ECS instance. Also, make sure that they both are in the same VPC. This will enable you to leverage the free intranet data transfer between the hosts in the same network. Another advantage is that you will need to whitelist only the private IP address of the ECS instance. This increases the security of the database to a great extent.
    2. Billing: Again, the cost of monthly subscription is less than that of the Pay-As-You-Go method. Choose according to your needs.
    3. Capacity: You can start with a low-end configuration such as 1 Core, 1 GB instance, and 5 GB storage. Later on you can increase resources.
    4. Accounts: Never create the Master account for the MySQL 5.6 instance unless required. You can create a database and a database user for each database.

    Here’s the RDS configuration I used for SuiteCRM.

    Once the MySQL RDS instance was activated, I whitelisted the ECS instance from the Security tab of the instance. As soon as I whitelist the IP address, I got the hostname to the RDS instance along with the port number, which was MySQL default port “3306”. I created a database named “suitecrm” and a database user named “suitecrm” and provided read/write access to the user.

    Using HTTPS

    As the internet is growing more and more websites are being added on daily basis. When Let’s Encrypt certificate authority started giving SSL certificates for free, it became a trend to use SSL on every website. For the purpose of security, it is very important to use SSL on a web application. If the data being exchanged is unencrypted, a person eavesdropping into the network may extract the confidential information.

    Alibaba Cloud also provides SSL certificates, but in my point of view, it is quite expensive. However, with expensive things come extra guarantees. SSL certificates provided by Alibaba Cloud is suitable for enterprise users.

    In the SuiteCRM deployment, I also used Let’s Encrypt’s free SSL to secure the SuiteCRM web application. For generating the certificates by Certbot, which is a client application for Let’s Encrypt CA, the domain needs to be pointed towards the server.

    Alibaba Cloud provides domain names at very reasonable rates with free whois protection. In my case, my client already had the domain name purchased elsewhere. I created a subdomain and pointed the domain to the ECS instance. I installed Certbot and could easily generate the certificates. Never forget to set up a cron job to renew the certificates automatically as the certificates expire every three months.

    Setting Up Direct Mail

    Setting up an email server by yourself should be avoided as to create an enterprise-grade web server requires expertise, time and the cost to maintain get very high. A slight misconfiguration leads the email directly into the spam folder.

    Alibaba Cloud’s Direct Mail service provides a cheaper way to send emails from the application using SMTP. It’s free for the first 200 emails every day. In my case, 200 emails per day are enough, and emails exceeding the free quota is also very cheap. I added a new email subdomain into the Direct Mail. Upon adding the domain, I was asked to update the DNS. I did as instructed and it took some time for the DNS to verify as the propagation takes time. Once done, I added the sender address and I had the SMTP server ready to be used with the application.

    Web-Based Installation

    Finally, I had everything ready. The SuiteCRM application is hosted on ECS, and the database server is hosted on ApsaraDB for RDS. I could easily go through the web-based installation to install the software.

    Here’s the configuration I provided for the database server during the web-based installation of SuiteCRM.

    Similarly, I filled in all the required information and provided the SMTP server details.

    Finally, my application was successfully deployed on Alibaba Cloud. Further, I suggested that the client use ApsaraDB for Memcache to store the session cache of SuiteCRM and to use WAF to secure the application against incoming threats. However, the client didn’t want to implement the suggestions as they’d increase their monthly bill. However, the client was very happy to see the performance of the application on Alibaba Cloud’s platform.

    I frequently write technical blogs on Alibaba Cloud Tech Share platform. Go to the following link to find the tutorials written by me. I will also write the detailed guide of the steps and commands to run which are followed by me to install SuiteCRM on Ubuntu 16.04 on Alibaba Cloud Tech Share Platform.